Upload
gwen
View
357
Download
1
Embed Size (px)
DESCRIPTION
Cyber security has evolved from a technical discipline to a strategic, geopoliticalconcept. The question for national security thinkers today is not how to protectone or even a thousand computers, but millions, including the “cyberspace”around them.Kenneth Geers Cooperative Cyber Defence Centre of ExcellenceU.S. Naval Criminal Investigative Service
Citation preview
Strategic Cyber Defense: Which Way Forward?
Kenneth Geers
Cooperative Cyber Defence Centre of Excellence
U.S. Naval Criminal Investigative Service
ABSTRACT
Cyber security has evolved from a technical discipline to a strategic, geopolitical
concept. The question for national security thinkers today is not how to protect
one or even a thousand computers, but millions, including the “cyberspace”
around them.
Strategic challenges require strategic solutions. This article considers four
nation-state approaches to cyber attack mitigation.
1. Technology: Internet Protocol version 6 (IPv6)
2. Doctrine: Sun Tzu‟s Art of War
3. Deterrence: can we prevent cyber attacks?
4. Arms control: can we limit cyber weapons?
These threat mitigation strategies fall into different categories. IPv6 is a
technical solution. Art of War is military. The third and fourth strategies are
hybrid: deterrence is a mix of military and political considerations, while arms
control is a political/technical approach.
Technology and doctrine are the most likely strategies to provide short-
term improvement in a nation‟s cyber defense posture. Deterrence and arms
control, which are more subject to outside politcial influence and current events,
may offer cyber attack mitigation but only in the longer-term.
INTRODUCTION
Cyber security has quickly evolved from a technical discipline to a strategic con-
cern. In 2000, information technology (IT) played no role whatsoever in NATO‟s
Strategic Concept. When the document was rewritten in 2010, cyber attacks were
deemed capable of threatening “Euro-Atlantic prosperity, security and stability.”1
Today, all political and military conflicts have a cyber dimension, whose
size and impact are difficult to predict. From the propaganda war over Chechnya
in the 1990s to the cyber assault on Estonia in 2007, from Code Red in 2001 to
the ongoing fallout from Stuxnet, world leaders have been personally involved in
cyber attack and defense issues.
In 1948, Hans Morgenthau wrote that national security depends on the in-
tegrity of a nation‟s borders and its institutions.2 However, as our national critical
infrastructures, including everything from elections to electricity are compute-
rized and connected to the Internet, cyber attacks may evolve from a corollary of
real-world disputes to a lead role in future conflicts. The nature of a security
threat has not changed, but the Internet provides a new delivery mechanism that
can increase the speed, scale, and power of an attack.
Military planners have begun to move beyond the technical, tactical as-
pects of cyber security – such as how to configure a firewall or monitor an intru-
sion detection system – to defending the cyberspace of a nation-state. This article
examines four strategic approaches to cyber attack threat mitigation:
1. Technology: can Internet Protocol version 6 (IPv6) improve strateg-
ic cyber defense?
2. Doctrine: can the world‟s best military treatise – Sun Tzu‟s Art of
War – encompass cyber warfare?
3. Deterrence: is it possible to prevent cyber attacks?
4. Arms control: can we limit cyber weapons?
These four strategies fall into different categories. IPv6 is a technical solu-
tion; Art of War is military. The third and fourth are hybrid: deterrence is a mix of
military and political considerations, while arms control is a political/technical
approach.
1 “Active Engagement…” 2010.
2 Morgenthau, 1948.
1. TECHNOLOGY
Vint Cerf, one of the Internet‟s inventors, confessed that security was not an im-
portant consideration in its original design. If he could start over, “I would have
put a much stronger focus on authenticity or authentication.”3
First and foremost, governments will seek to mitigate the threat of cyber
attacks through new and improved technology. This is a logical approach: it is
best to fix a technical problem with a technical solution. In 2011, the strongest
candidate to have a strategic impact is IPv6, which is replacing IPv4 as the new
“language” of computer networks.
IPv6 has a high learning curve and the pace of IPv6-specific application
development has been slow. Nonetheless, most governments and large organiza-
tions understand that the technology is superior to IPv4, and have made the transi-
tion a priority. In the U.S., federal agencies are required to enable IPv6 on public-
facing websites by 2012 and on internal networks by 2014.
IPv6 instantly solves the world‟s shortage of computer addresses. IPv4 has
around 4 billion addresses, which are insufficient for our computing needs today.
IPv6, by contrast, has 50 octillion addresses for every human on planet Earth! In
the military, every bullet and stick of butter will have its own, permanently-
associated number. In a nation, the same could apply to people – according to
Chinese Internet Society chairwoman Hu Qiheng, “there is now anonymity for
criminals on the Internet in China … with the China Next Generation Internet
project, we will give everyone a unique identity on the Internet.”4
From a law enforcement and counterintelligence perspective, IPv6 could
help to solve the problem of anonymous cyber attacks. However, human rights
groups fear that governments will use this new capability to quash political dis-
sent by reducing online anonymity and privacy.
IPv6 possesses better security features than IPv4, chief among them man-
datory support for Internet Protocol Security (IPSec), a group of communications
protocols used to authenticate and encrypt Internet traffic. The use of IPSec under
IPv6 is not required but its inherent presence gives network security administra-
tors a powerful weapon in their arsenal against hackers.
Over time, the percentage of Internet traffic that is encrypted is constantly
on the rise. Eventually everything on the Web could be unreadable to third par-
ties, including network security personnel. Therefore, the need for the authentica-
tion mechanisms inherent in IPSec will also rise in order to know with greater
certainty with whom one is communicating.
3 Menn, 2011.
4 Crampton, 2006.
One of the most unsettling aspects of IPv6 is that during the necessarily-
long transition period from IPv4 there will be an increased “attack surface” as
hackers exploit vulnerabilities in both IP languages at once. But when the switch
is complete, IPv6 appears to have the potential to reduce the most important ad-
vantage of a cyber attacker today – anonymity – which in turn could improve the
state of strategic cyber security.
2. DOCTRINE
The establishment of U.S. Cyber Command in 2010 confirmed that cyberspace –
along with land, sea, air and space – is a new domain of warfare.5 Computers are
not only a target but also a weapon. Therefore military thinkers must find a way to
incorporate cyber attack and defense into military doctrine as soon as possible.
The world‟s most influential military treatise is Sun Tzu‟s Art of War. Its
compelling and adaptive wisdom has survived myriad revolutions in technology
and human conflict. Art of War tactics and strategies have been successfully ap-
plied to other disciplines including business, sports, and personal relationships.
Future cyber commanders will also find Sun Tzu‟s guidance beneficial.
For example, on defense, Sun Tzu warns leaders never to rely on the good inten-
tions of others or to count on best-case scenarios.6 This is sound advice in cyber-
space because computers are attacked from the moment they connect to the Inter-
net.7
The Art of War teaches us to rely not on the likelihood of the enemy‟s
not coming, but on our own readiness to receive him; not on the chance
of his not attacking, but rather on the fact that we have made our position
unassailable. Art of War “VIII. Variation in Tactics”
On offense, cyber attacks are likely to play a lead role in future wars,
where the nature of the fight could be above all over IT infrastructure. A cyber-
only war might even please Sun Tzu, who argued that the best leaders can attain
victory before combat is necessary.
The best thing of all is to take the enemy‟s country whole and intact …
supreme excellence consists in breaking the enemy‟s resistance without
fighting. Art of War “III. Attack by Stratagem”
5 Pellerin, 2010.
6 Sawyer, 1994.
7 Skoudis, 2006.
In theory, cyber warfare might be a good thing for the world if future conflicts are
shorter and cost fewer lives, which could facilitate economic recovery and post-
war diplomacy.
There are many aspects of cyber conflict, however, that are truly revolu-
tionary, and for which it may be difficult to write military doctrine. Here are no
fewer than ten to consider:
1. The Internet is an artificial environment that can be shaped in
part according to national security requirements.
2. The blinding proliferation of technology and hacker tools makes
it impossible to be familiar with all of them.
3. The proximity of adversaries is determined by connectivity and
bandwidth, not terrestrial geography.
4. Software updates and network reconfiguration change cyber bat-
tlespace unpredictably and without warning.
5. Contrary to our historical understanding of war, cyber conflict
favors the attacker.
6. Cyber attacks are flexible enough to be effective for propaganda,
espionage, and the destruction of critical infrastructure.
7. The difficulty of obtaining reliable cyber attack attribution les-
sens the credibility of deterrence, prosecution and retaliation.
8. The “quiet” nature of cyber conflict means that a significant bat-
tle could take place with only the direct participants witting.
9. The dearth of expertise and evidence can make victory, defeat,
and battle damage a highly subjective undertaking.
10. There are few moral inhibitions to cyber attacks because they
relate primarily to the use and abuse of data and computer
code; so far, there is little perceived human suffering.
The world‟s top military thinkers, including Sun Tzu, can help modern or-
ganizations fill the gaping holes in their cyber defenses, but it will take many
years to incorporate all of the revolutionary aspects of cyber conflict into military
doctrine.
3. DETERRENCE
World leaders have begun to look beyond reactive, tactical cyber defense to
proactive, strategic cyber defense, which may include international military deter-
rence.
Deterrence theory gained prominence during the Cold War when the Unit-
ed States and Soviet Union created enough firepower in the form of nuclear wea-
pons to destroy human civilization on our planet. The American military strategist
Bernard Brodie wrote that, in the nuclear era, the purpose of armies had shifted
from winning wars to preventing them.8
Cyber attacks per se do not compare to a nuclear explosion. However, as a
powerful means to a wide variety of political and military ends, they pose an in-
creasing threat to international security. In 2010, for example, the Stuxnet worm
demonstrated that computer code alone is capable of destroying physical infra-
structure such as nuclear centrifuges.9
Pentagon officials have therefore begun to articulate a nascent cyber attack
deterrence policy. National security insiders now believe that computer sabotage
could even be an act of war which could trigger a conventional military response:
“If you shut down our power grid, maybe we will put a missile down one of your
smokestacks.”10
There are two primary strategies, according to deterrence theory, available
to nation-states – proactive denial and reactive punishment. Both strategies have
three basic requirements – capability, communication, and credibility.11
Deterrence by denial is a strategy in which an adversary is physically pre-
vented from acquiring a threatening technology. This is the preferred option in the
nuclear sphere because there is no practical defense against a nuclear explosion,
which can demolish reinforced concrete buildings three kilometers away.12
Deter-
rence by denial is a philosophy embodied in the Non-Proliferation Treaty (NPT)
and a major reason behind current international tension with North Korea and
Iran.13
Unfortunately, deterrence by denial is unlikely to succeed against cyber at-
tacks. Nuclear technology is difficult to acquire, but hacker tools and techniques
are not. Amazingly, there is little visible difference between expertise in computer
network defense and computer network offense – they are essentially one and the
8 Brodie, 1946.
9 Broad et al, 2011.
10 Gorman & Barnes, 2011.
11 Interview with Prof. Peter D. Feaver of Duke University.
12 Sartori, 1983.
13 Shultz et al., 2007.
same discipline. A good hacker may be described as someone who simply under-
stands your computer network better than you do, and uses that knowledge for
nefarious purposes.
The second deterrence strategy, reactive punishment, seeks to prevent an
attack before it is launched by threatening painful or even fatal retaliation. In cy-
berspace, this is the only realistic option.
There are two vexing cyber security challenges, however, which under-
mine the credibility of deterrence by punishment – attacker attribution and attack
asymmetry. First, the byzantine, international nature of the Internet almost guar-
antees that the “anonymous hacker” problem will not go away soon. Second, there
are countless ways to show the asymmetric power of networks, such as in 2001
when a single teenager hacker, MafiaBoy, caused over $1 billion in corporate
losses after a successful denial-of-service attack.14
A final comparison to the Cold War relates to the concept of Mutually As-
sured Destruction (MAD). By 1968, Soviet mastery of nuclear technology made
one-sided nuclear deterrence meaningless,15
and the two Superpowers were forced
into a position of mutual deterrence. If cyber attacks are both effective and im-
possible to eradicate, we may now live in a world of Mutually Assured Disrup-
tion.16
4. ARMS CONTROL
Former CIA Director Michael Hayden posed this question during a 2010 Black
Hat keynote address – “Why might it be better to bomb a factory than to hack it?”
No one responded. Hayden explained that one can choose to bomb a factory at
any time, but sophisticated cyber attacks take months if not years of painstaking
subversion. In turn, this means that even during peacetime, nations may hack their
adversaries‟ critical infrastructures in order to prepare for war. This is not only a
recipe for perpetual network chaos, but it also seems likely that the first shots of
the next World War have already been fired.
Given the dim prospects for cyber attack deterrence and a looming cyber
arms race, world leaders may decide to negotiate a cyber arms control treaty or a
non-aggression pact for cyberspace.
The Russian government has long argued that an agreement similar to
those which have been signed for weapons of mass destruction (WMD) could be
14
Verton, 2002. 15
This refers to the Soviet Union‟s ability to mass produce nuclear weapons, and to compete in the
nuclear arms race. 16
Pendall, 2004; Derene, 2009.
helpful in securing the Internet.17
In 1998, Russia successfully sponsored United
Nations Resolution 53/70, which stated that while modern information and com-
munication technology (ICT) offers civilization the “broadest positive opportuni-
ties” it was nonetheless vulnerable to misuse by criminals and terrorists.18
No pre-Internet model is a perfect fit for cyberspace or cyber conflict. But
there are three aspects of the 1997 Chemical Weapons Convention (CWC), which
compels signatories to destroy CW stockpiles and forbids them from producing
any more, that could be beneficial: universal appeal, political will, and practical
assistance.
First, everyone is a neighbor on the Internet but the jurisdiction of law en-
forcement ends every time a network cable crosses a border. In the short term, this
is a major obstacle to cyber attack mitigation, but as politicians, diplomats and the
public grow more Internet-savvy, there may be a common realization that the only
way to solve this problem is through closer international cooperation. CWC is less
than 15 years old, but it has already been ratified by 98% of the world‟s govern-
ments and encompasses 95% of the world‟s population.
Second, strategic cyber defense may eventually receive a boost from the
world‟s political leadership. In 1997, Presidents Bill Clinton and Boris Yeltsin
decided to issue a joint statement endorsing CWC in order to “banish poison gas
from the Earth.”19
The perceived threat from cyber attacks is growing, based on
nation-state capabilities as well as the fear that terrorists will master the art of
hacking. The 2010 attack on Google was serious enough to begin discussion in
the U.S. on the creation of an ambassador-level post, modeled on the State De-
partment‟s counterterrorism coordinator, to oversee international cyber security
efforts.20
Third, CWC offers practical aid to its members in the form of advocacy,
weapons destruction and the advancement of peaceful uses for chemistry. A cyber
weapons treaty could create an internationally-staffed institution to help signato-
ries improve cyber defenses, respond to attacks and promote peaceful uses for
computer science. Computer security is not an easy discipline – proper configura-
tion, management and incident response require more resources than most organi-
zations and even many countries now have available.
There are two essential aspects of arms control, however, that are difficult
to apply in cyberspace at this time: prohibition and inspection.
First, it is difficult to prohibit something that is hard to define, such as ma-
licious code. Anti-malware firm Kaspersky reported that it “detected and neutra-
lized” over 200 million “malicious programs” in the month of March 2011
17
Markoff & Kramer, 2009. 18
“53/70…” 1999. 19
“The President‟s News Conference...” 1997. 20
Gorman, 2010.
alone.21
But this can only be an estimate of the true number in existence, and it
likely includes a wide range of everything from true nation-state attacks to simple,
annoying advertisements. And if somehow an organization could be malware-
free, professional hackers are adept at using legitimate paths to network access –
such as by exploiting a default or easily-guessed password – to undermine the
security of a target network.
Second, it is hard to inspect something as big as cyberspace. In CWC,
there are around 5,000 industrial facilities worldwide that are subject to inspection
at any time – this is a large but manageable number. Compare that to a single
USB Flash drive which can now hold up to 256 GB or 2 trillion bits of data, or to
the 439 million Internet-connected computers located in the U.S.,22
or to modern
software in general, which is so complex and its lines of code so numerous that it
is almost impossible to understand completely.23
In theory, a cyber weapons convention could require inspection at the In-
ternet Service Provider (ISP) level. However, such regimes are already common-
place, such as China‟s Golden Shield Project, the European Convention on Cy-
bercrime, Russia‟s SORM,24
and the USA PATRIOT Act. Each is unique in terms
of guidelines and enforcement, but all face the same problem of overwhelming
traffic volume.
One significant but politically difficult step would be the international in-
strumentation and observation of the Internet and its network traffic flows. This
may seem to be an extreme solution, but it could be the only way to slow fast-
moving cyber threats such as botnets and distributed denial-of-service attacks.
CONCLUSION
Cyber security has evolved from a tactical to a strategic concern, for which
nation-states must develop strategic cyber defenses. This article highlights four –
technology, doctrine, deterrence, and arms control.
1. Technology: Next-generation Internet technologies such as IPv6
can redress some of the Internet‟s current security shortcomings.
However, IPv6 is not a silver bullet, and it will unfortunately
create some new problems to solve, including a long and danger-
ous transition phase from IPv4. Still, IPv6 represents a logical at-
21
“Monthly Malware Statistics…” 2011. 22
The World Factbook, Central Intelligence Agency, 2011. 23
Cole, 2002. 24
Система Оперативно-Розыскных Мероприятий or “System for Operative Investigative
Activities.”
tempt to solve a technical problem with a technical solution, and it
could help to reduce the chief advantage of cyber attackers today –
anonymity.
2. Doctrine: Cyber attack and defense represent a revolution in na-
tional security affairs similar to the advent of artillery, rockets and
airplanes. Even the world‟s most influential military treatise, Sun
Tzu‟s Art of War, has difficulty encompassing many basic aspects
of cyber war. Nonetheless, national security leaders must rewrite
military doctrine so that people and processes are better aligned
and resourced for cyber conflict, and Art of War can help.
3. Deterrence: U.S. military leaders have begun to articulate a deter-
rence strategy for cyberspace, but two vexing cyber security chal-
lenges diminish its credibility. First, it is difficult to prevent an ad-
versary from acquiring effective hacker tools and techniques.
Second, hackers are often able to conduct powerful attacks even
while remaining anonymous, which undermine the threat of prose-
cution or retaliation.
4. Arms control: The persistence of ubiquitous IT vulnerabilities
coupled with the proliferation of hacker tools may eventually force
governments to sign a cyber arms control treaty or a non-
aggression pact for the Internet. But two elements of arms control
seem difficult to apply to cyber weapons: prohibition and inspec-
tion. It is difficult to define “malicious” code and it is hard to in-
spect something as big as cyberspace.
In summary, investments in technology and doctrine are more reliable than
deterrence and arms control because they are less subject to the whims of politics
and current events. A cyber arms control treaty, despite its challenges, would have
a key advantage over a deterrence policy alone – namely, some kind of technical
verification regime. Deterrence is exclusively a military/political approach that
does not, by itself, address the most significant advantage of a cyber attacker to-
day – anonymity.
__________________
REFERENCES
“53/70: Developments in the field of information and telecommunications in the
context of international security,” (4 Jan 1999) United Nations General As-
sembly Resolution: Fifty-Third Session, Agenda Item 63.
“Active Engagement, Modern Defence: Strategic Concept for the Defence and
Security of the Members of the North Atlantic Treaty Organisation,” (2010)
NATO website: www.nato.int.
Broad, W.J., Markoff, J. & Sanger, D.E. (15 Jan 2011) “Israeli Test on Worm
Called Crucial in Iran Nuclear Delay,” New York Times.
Brodie, B. (1946) THE ABSOLUTE WEAPON: Atomic Power and World Order
(New York: Harcourt, Brace and Co) 76.
Cole, E. (2002) Hackers Beware (London: New Riders) 727.
Crampton, T. (19 Mar 2006) “Innovation may lower Net users‟ privacy,” The
New York Times.
Derene, G. (2009) “Weapon of Mass Disruption,” Popular Mechanics 186(4) 76.
Geers, K. (2011) Strategic Cyber Security (Tallinn: Cooperative Cyber Defence
Centre of Excellence).
Gorman, S. (23 Mar 2010) “U.S. Aims to Bolster Overseas Fight Against Cyber-
crime,” The Wall Street Journal.
Gorman S. & Barnes J. (31 May 2011) “Cyber Combat: Act of War,” The Wall
Street Journal.
Markoff, J. & Kramer, A.E. (27 Jun 2009) “U.S. and Russia Differ on a Treaty for
Cyberspace,” The New York Times.
Menn, J. (11 Oct 2011) “Founding father wants secure „Internet 2‟,” The Finan-
cial Times.
“Monthly Malware Statistics: March 2011,” (2011) Kaspersky Lab:
www.kaspersky.com.
Morgenthau, H.J. (1948) Politics among nations: the struggle for power and
peace (NY: A. A. Knopf) 440.
Pellerin, C. (18 Oct 2010) “Lynn: Cyberspace is the New Domain of Warfare,”
American Forces Press Service.
Pendall, D.W. (2004) “Effects-Based Operations and the Exercise of National
Power,” Military Review 84(1) 20-31.
“The President‟s News Conference with President Boris Yeltsin of Russia in Hel-
sinki,” (21 Mar 1997) The American Presidency Project, UC Santa Barbara:
www.presidency.ucsb.edu.
Sartori, L. (1983) “The weapons tutorial-Part five: When the bomb falls,” Bulletin
of the Atomic Scientists 39(6) 40-47.
Sawyer, R.D. (1994) Sun Tzu: Art of War (Oxford: Westview Press).
Shultz, G.P., Perry, W.J., Kissinger, H.A., & Nunn, S. (4 Jan 2007) “A World
Free of Nuclear Weapons,” The Wall Street Journal.
Skoudis, E. (2006) Counter Hack Reloaded: a Step-By-Step Guide to Computer
Attacks and Effective Defenses (NJ: Prentice Hall) 1.
Verton, D. (2002) The Hacker Diaries: Confessions of Teenage Hackers (NY:
McGraw-Hill/Osborne) xvii.